PHPackages                             hershel-theodore-layton/simple-web-token - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. hershel-theodore-layton/simple-web-token

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

hershel-theodore-layton/simple-web-token
========================================

An implementation of the Simple Web Token specification.

v0.4.0(2mo ago)0961MITHackCI passing

Since Jun 23Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/hershel-theodore-layton/simple-web-token)[ Packagist](https://packagist.org/packages/hershel-theodore-layton/simple-web-token)[ RSS](/packages/hershel-theodore-layton-simple-web-token/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (6)Dependencies (4)Versions (7)Used By (0)

simple-web-token
================

[](#simple-web-token)

*An implementation of the Simple Web Token specification.*

### Usage

[](#usage)

```
// This example assumes you have some `$your_key_store`,
// which maps key names to keys.

$serialized = SimpleWebToken\sign(
  vec[
    tuple('com.example.user_id', '4'),
    tuple(SimpleWebToken\Token::EXPIRES_ON, (string)(\time() + 300)),
    tuple('com.example.secret_key_used', '#1')
  ],
  SimpleWebToken\this_is_the_secret_key($your_key_store->load('#1')),
);

$token = SimpleWebToken\parse($serialized);

$key = $your_key_store->loadKey(
  $token->getUniqueKeys() |> idx($$, 'com.example.secret_key_used', 'default')
);

$state = $token->validate($key, \time());

switch ($state) {
  case SimpleWebToken\Validity::VALID:
  case SimpleWebToken\Validity::EXPIRED:
  case SimpleWebToken\Validity::INVALID:
}

// Or the shorthand
$token->isOkay($key, \time()); // This returns `true` for `::VALID` only.
```

### Performance vs. purity

[](#performance-vs-purity)

The native functions `\hash()` and `\hash_hmac()` are not pure in hhvm version 4.172 and below (the most recent version released to date). `\hash()` has been made pure in October 2023. This repository includes `SimpleWebToken\sha256_pure()` as a replacement for `\hash()`, which is pure.

When running in repo auth mode, the jit will kick in and make the performance of this polyfill about 20% of the native `\hash()` function. The performance deficit is greater before the jit has optimized it, especially when not running in repo auth mode. If you have a very high traffic to your site and CPU cycles are scarce, you will definitely feel the hit of the unoptimized bytecodes shuffling bytes around. You may opt to use `SimpleWebToken\sha256_native()` to regain all performance, at the cost of requiring `[defaults]`.

If you are running a build of hhvm@next at or after [this commit](https://github.com/facebook/hhvm/commit/9ec4a4400535521c74ebc9db47dcdf7b9785a2bc)from October 2023. You can pass a native wrapper with a pure context.

The latest release Oxygen is able to run on hhvm@next. This version of `sha256_native` `return hash('sha256', $data, true);` is now pure. You can create a pure version of `sha256_native` and hash your tokens ever so slightly faster.

### License

[](#license)

This code is licensed under the [MIT License](./LICENSE), but note, this code implements the Simple Web Token specification.

The Simple Web Token specification version 0.9.5.1, which can be found [here](https://learn.microsoft.com/en-us/previous-versions/azure/azure-services/hh781551(v=azure.100)?redirectedfrom=MSDN), is licensed under the [Open Web Foundation Agreement Version 0.9](https://www.openwebfoundation.org/the-agreements/the-owf-0-9-agreements-necessary-claims/open-web-foundation-agreement-0-9). This license is permissive, as long as you do not take non-defensive patent legal action against implementers of the specification. This also applies to this implementation (and implementer).

### Acknowledgments

[](#acknowledgments)

The Simple Web Token specification has been authored by:

- Dick Hardt (), Editor
- Yaron Goland ()

The implementation of SHA-256 in Hack was heavily based on amosnier's C implementation. This Hack implementation can be found [here](https://github.com/hershel-theodore-layton/simple-web-token/blob/master/src/_Private/sha256.c.hack). The implementation in C can be found [here](https://github.com/amosnier/sha-2/tree/b29613850d6e54e7159197ef42c7d22d012b6367). The C code is licensed under `The Unlicense` or `BSD-0-Clause` at your option. Both licenses are public domain equivalent and do not require attribution. Thank you Amosnier, porting it was a pleasant experience.

I believe to have met the requirements imposed on me by the third-party licenses. If you spot a violation of any third-party licenses in under this Github namespace, you may notify me by filing a Github Issue on the affected projects.

###  Health Score

38

—

LowBetter than 85% of packages

Maintenance84

Actively maintained with recent releases

Popularity18

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity34

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~122 days

Recently: every ~68 days

Total

6

Last Release

83d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/d16d159b7061287c506d4ab44d05ae042bc4ec697116d1bd132a007634d9ff21?d=identicon)[Hershel Theodore Layton](/maintainers/Hershel%20Theodore%20Layton)

---

Top Contributors

[![hershel-theodore-layton](https://avatars.githubusercontent.com/u/81193606?v=4)](https://github.com/hershel-theodore-layton "hershel-theodore-layton (36 commits)")

### Embed Badge

![Health badge](/badges/hershel-theodore-layton-simple-web-token/health.svg)

```
[![Health](https://phpackages.com/badges/hershel-theodore-layton-simple-web-token/health.svg)](https://phpackages.com/packages/hershel-theodore-layton-simple-web-token)
```

###  Alternatives

[bezhansalleh/filament-shield

Filament support for `spatie/laravel-permission`.

2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle

Implements a refresh token system over Json Web Tokens in Symfony

70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[illuminate/auth

The Illuminate Auth package.

9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock

A flexible, driver based Acl package for PHP 5.4+

870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library

amoCRM API Client

182728.5k6](/packages/amocrm-amocrm-api-library)[vonage/jwt

A standalone package for creating JWTs for Vonage APIs

424.1M4](/packages/vonage-jwt)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)